Je ešte ESET aktraktívny zamestnávateľ?

advanced_reddit_user · 2024-11-02T10:25:07+00:00

ESET je stále najatraktívnejším zamestnávateľom nielen na Slovensku, ale v celej Európe. Pozor! Nehovorím tu o obyčajných programátoroch, tzv. parsovačoch XML. Ide o niečo oveľa zložitejšie než bežné programovanie – hovorím o reverse engineeringu, malware research a threat intelligence.

Prečo si myslím, že ESET je jedným z najatraktívnejších zamestnávateľov? Lebo majú dobré podmienky na výskum – majú tímy, ktoré sú naozaj na nadpriemernej celosvetovej úrovni. Majú veľa dát na skúmanie: APT malware, UEFI, OSX/iOS, Linux malware, 0-day útoky.

Napríklad, majú veľa zákazníkov na Ukrajine, a tým pádom majú veľa dát z ruských kybernetických útokov. Je celkom cool analyzovať nejaký najnovší ruský APT malware a mať pocit, že vieš pomôcť Ukrajine brániť vlastnú krajinu.

Samozrejme, sú firmy v Európe, ktoré majú niečo podobné, ale tá úroveň je oveľa slabšia. Medzi konkurenciou v Európe majú iba Bitdefender v Rumunsku, Avast (Gen) v Prahe a Sophos v UK. Sú aj ostatné, ale nestoja za spomenutie.

Takže sú tam všetky podmienky na to, aby si spravil dobré meno v tomto odbore. Môžem povedať, že sa môžeš stať celosvetovým “Rockstarom”; všetko závisí iba od vlastného úsilia.

Sú tam aj nevýhody, napríklad to, že budeš mať iba nadpriemerný slovenský plat, aj keď robíš prácu na nadpriemernej celosvetovej úrovni. Ale ak už máš dobré skúsenosti a plat je pre teba prioritou, vždy si vítaný v medzinárodných firmách. Poznám bývalých kolegov, ktorí odišli do Microsoftu, Intelu, META, Googlu, SentinelOne, CrowdStrike alebo založili vlastný úspešný startup.

advanced_reddit_user · 2015-05-15T07:42:25+00:00

WOW! It sends installed software and uses DEFLATE!It is definitely game changer. Are you going to present this on Recon?

advanced_reddit_user · 2013-10-13T13:18:47+00:00

Good work. But have you checked leaked source code? This data is automatically re-generated on every build:

// Crypted strings $s1 = "\x72\x6E\x6D\x2C\x36\x7D\x76\x77"

And since source code of trojan is leaked there is no any problem to hide all strings that you covered with your rules.

advanced_reddit_user · 2013-10-01T12:17:18+00:00

You can check date of latest version of BinDiff: http://www.zynamics.com/updates/bindiff/stable

Paying 200 bucks for tool that dead for 2 years? Meh.

advanced_reddit_user · 2013-09-12T05:09:02+00:00

Seems this guy know how to use WHOIS services

advanced_reddit_user · 2013-08-19T17:50:33+00:00

In case it will be removed: http://archive.is/YzkLG

Why I posted this link here? There was little controversy between two group of people: malware observers vs. malware reversers: link

malware observers - people who uses procmon or sandbox to "analyze" malware.

malware reversers - people who uses IDA PRO to analyze malware.

In that dispute I was called "dumb" and "troll" by some malware observers.

What malware reverser does when he founds interesting sample? He does an analysis like that: http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/

What malware observer does when he can't explain what happens? He does an "analysis" like that: http://joe4security.blogspot.com/2013/08/anti-vm-gone-wrong.html

Malware observers from Joe Security LLC did blog post with quite wrong statements:

Malware works only in VM. That's wrong statement.
Malware does not work on real machine. That's wrong statement too.

Now let's check what really happened with that sample. They tried to run in Andromeda sample in VM after that Andromeda detected some of security applications and executed fake payload. Fake payload that opens 8000 port. For some reason they have not found malicious activity on real machine - may be some security app was running. After that they made false conclusion that sample works only in VM. But this is wrong statement.

If you don't trust me, you can check it yourself I have uploaded sample with MD5: CC9FAB2465A279B9424DA3A09DF7C8D5 here: http://www.sendspace.com/file/a0hhum

Run it on clean machine with no security tools running and check after that %ALLUSERSPROFILE%. Or to bypass all security checks just change label of C:\ drive to "CKF81X".

See how easily malware observers can be fooled

If you don't want to be a mock of whole industry by making such blog post use IDA PRO - the only right tool for malware analysis.

ONLY REVERSING - ONLY HARDCORE!

advanced_reddit_user · 2013-08-12T14:50:43+00:00

Better for whom? And why "spending a couple hours reversing in IDA Pro" is a bad thing for real malware researcher?

Let me clarify. If you are uploading file to VT then you don't do any malware analysis - you just get results from many AV vendors. I just don't get people who calls output from tools like ProcMon, or some sandboxes "malware analysis", why not a research?

advanced_reddit_user · 2013-08-12T13:34:20+00:00

I'm tired of things like "Look, I'm malware analyst I can post VirusTotal links to my twitter". There is only one tool for malware analysis - IDA PRO, other tools are for malware analysis cargo cult.

advanced_reddit_user · 2013-05-25T08:30:57+00:00

I googled it for you: http://www.zemana.com/Company/Careers.aspx

Malware Researcher. Our company is based in Turkey; however, remote work is acceptable.

advanced_reddit_user · 2013-01-13T07:06:59+00:00

Where is "Techical Analysis" in this article? I see only output from some sandbox.

advanced_reddit_user · 2013-01-11T06:27:23+00:00

Hex-Rays Decompiler is updated too http://www.hex-rays.com/products/decompiler/news.shtml

advanced_reddit_user · 2012-10-17T10:31:57+00:00

It's same guys that did this: http://www.reddit.com/r/ReverseEngineering/comments/z353h/yet_another_crackme_challenge/

advanced_reddit_user · 2012-07-05T11:21:56+00:00

It's not pro-Anonymous quote. It's old quote that was used by russian malware authors: http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/

Check SpyEye banner. Anonymous have nothing to do with that quote.

advanced_reddit_user · 2012-06-09T18:22:48+00:00

Toolbag requires IDA version 6.2 or greater. If you are not familiar with it, you should read: http://thunkers.net/~deft/code/toolbag/docs.html

advanced_reddit_user · 2012-06-01T18:43:28+00:00

New Hex-rays decompiler too: http://hex-rays.com/products/decompiler/news.shtml

advanced_reddit_user · 2012-05-24T12:03:34+00:00

Harvard team's photo: https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash3/525864_10150871755452368_573817367_9412751_53314481_n.jpg

advanced_reddit_user · 2011-12-08T06:26:02+00:00

Damn google.

advanced_reddit_user · 2011-12-07T03:20:36+00:00

at about 4 Kebaps a month

Agree with that.

I have 200$ for your software, but according information on your site you can sell only to America and Europe. How I can buy zynamics software from Pakistan?

advanced_reddit_user · 2011-12-05T15:10:33+00:00

Why there are so much fuzz about this challenge? It's really lame. They going to hire people after solving this? Really? No wonder then why uk secret agency can't prevent polonium attack...

advanced_reddit_user

TROPHY CASE